The moment your startup becomes visible — a TechCrunch mention, a Product Hunt front page, a fundraising announcement — it also becomes a target. Domain squatters run automated tools that watch for exactly these signals and register brand-adjacent domains within hours. By the time you think to check, they're already parked on YourBrand-app.com, asking $5,000 for the privilege of getting it back.
Defensive domain registration is the practice of proactively registering the domain variants that matter before anyone else can use them against you. Done right, it costs a few hundred dollars a year and closes down the most damaging avenues for brand confusion, customer misdirection, and phishing attacks. Done wrong — or not done at all — it's a liability that grows with your brand.
This guide covers which domains to register, how much to spend at each stage, the typo and impersonation threat specifically, and how to reclaim a domain you should have registered earlier.
What Defensive Registration Actually Protects Against
There are three distinct threats that defensive registration addresses, and they're worth separating because the priority order differs for different companies.
- Typo squatting. Someone registers a common misspelling of your domain (GooglE.com, Amaz0n.com) and either monetises the traffic with ads, redirects to a competitor, or runs a phishing operation. At scale this is a significant revenue leak — customers who mistype your URL end up somewhere else and may never come back.
- Brand impersonation and phishing. A bad actor registers YourBrand-support.com or YourBrand-login.com and uses it to harvest credentials or payment details from your customers. This is a security threat as much as a brand threat, and your liability exposure if customers are defrauded on a convincing impersonation site is real.
- Competitive misdirection. A competitor (or a disgruntled party) registers YourBrandSucks.com or YourBrandReviews.com and uses it to run negative campaigns. Less common but high-impact when it happens, particularly during fundraising or acquisition due diligence.
The fundraising announcement window: Cybersquatters specifically watch Crunchbase, TechCrunch, and AngelList for funding announcements. The period immediately after a public funding announcement is when brand-adjacent domain registrations spike most sharply. The right time to do a defensive sweep is before you announce — ideally the week before the press release goes out.
The Five Domain Variants Every Brand Should Register
Not all variants are worth registering — the universe of possible domain combinations is infinite, and spending $10,000/year on paranoid coverage is not the goal. These five categories cover the meaningful risk at a manageable cost.
-
Your primary TLD plus .com (if different) If you're on .io, .ai, or .co as your primary domain, the matching .com is the single most important defensive registration. Customers default to .com when typing from memory. If you don't own it, someone else will — and they'll get your direct-type traffic.
-
Common misspellings of your brand name One or two characters are enough to capture the majority of mistype traffic. Focus on: transposed characters in the most commonly mistyped letter pairs, dropped letters in longer names, phonetic alternatives (f vs ph, c vs k), and the most common autocorrect substitution if your name is unusual. Register these as redirects to your primary domain.
-
The hyphenated version If your brand name is two words, register both the unhyphenated and hyphenated versions regardless of which one you use. Your-brand.com and yourbrand.com should both point at your site. This closes a common squatting vector and prevents confusion in printed materials.
-
ccTLDs for your primary markets Register country-code TLDs for any market where you have significant revenue or marketing spend — or plan to. YourBrand.co.uk, YourBrand.de, YourBrand.com.au. These serve a dual purpose: defensive coverage in those markets, and the infrastructure for eventual localised storefronts or landing pages.
-
High-risk modifier variants YourBrand-support.com, YourBrand-login.com, YourBrandApp.com — the modifier domains most commonly used in impersonation attacks. The threat model here is phishing: register these before a bad actor can, and redirect them all to your primary domain so they can never be used against your customers.
How Much Should You Spend? A Stage-by-Stage Budget
The right defensive portfolio size scales with your brand recognition and risk surface. Here's a practical framework by stage:
Don't over-register early. A pre-revenue startup spending $2,000/year on 150 defensive domains is wasting money that should be going into product and growth. Defensive registration is risk management — scale it proportionally to the actual risk surface, not to an abstract ideal of complete coverage.
Setting Up Redirects: The Step Everyone Skips
Registering a domain without redirecting it is half a job. Every defensive domain you own but don't redirect to your primary site is a dead end for any visitor who lands on it — which defeats the purpose of owning it.
The setup is simple: for each defensive domain, configure a server-side 301 redirect to your primary domain. Most registrars offer URL forwarding in their DNS settings, which works for basic cases. If you're managing a larger portfolio, a dedicated redirect service or a simple Cloudflare Worker gives you more control and better logging.
Once redirects are live, you'll start to see defensive domain traffic in your analytics. Most brands with moderate recognition find that their typo domains collectively send 1–3% of direct traffic volume — traffic that was previously being lost. For a brand doing $2M in revenue with strong direct traffic, that's meaningful.
What To Do If You're Already Behind
You Googled your brand name and found a squatter sitting on a domain variant you should own. Your options, in order of preference:
-
Buy it directly If the domain is parked and not actively used against you, make a low-key offer through a domain broker or directly via the WHOIS contact. Don't reveal that you're the brand owner in your first contact — it drives the price up immediately. A parked squatter domain often sells for $500–2,000 if approached neutrally. Escalate to a broker if direct contact fails.
-
File a UDRP complaint If you have a registered trademark and the domain was clearly registered in bad faith (after your trademark or after your brand became known), a UDRP complaint through ICANN is the standard path. Cost: $1,500–4,000 depending on the provider (WIPO, NAF, Forum). Timeline: 2–3 months. Win rate: approximately 80% for trademark holders with clear bad-faith cases. You get the domain transferred, not damages.
-
Legal action (ACPA) In the US, the Anticybersquatting Consumer Protection Act allows you to sue for statutory damages of $1,000–100,000 per domain, plus attorney's fees in egregious cases. This is the nuclear option — expensive and slow, but the threat of it often produces a settlement or voluntary transfer. Reserve for cases involving active phishing or impersonation where the UDRP timeline is too slow.
Trademark registration accelerates all of this. A registered trademark (not just common-law trademark rights) makes UDRP filings faster and stronger, gives you standing for ACPA claims, and often causes squatters to sell proactively once they know you're organised. If your brand has meaningful traction, trademark registration is a prerequisite for effective domain protection — not an optional extra.
Brand Monitoring: Staying Ahead Going Forward
Defensive registration is a one-time catch-up; brand monitoring is the ongoing practice that keeps you ahead. Several services watch for new domain registrations that match your brand patterns and alert you within hours.
At minimum, set up a Google Alert for your brand name combined with terms like "domain" and "scam" — this catches press coverage of impersonation attempts. At the next level, use a service like DomainTools, MarkMonitor, or Corsair's brand protection tooling to get automated alerts on new registrations. The cost is $50–500/month depending on coverage — worth it once your brand has meaningful public recognition.
Defensive domain portfolio checklist
- Primary domain registered with auto-renew enabled (never let this lapse)
- .com registered if your primary is a different TLD
- 1–3 common misspellings registered and 301-redirecting to primary
- Hyphenated variant registered and redirecting
- ccTLDs for all markets with active revenue or marketing spend
- High-risk modifier variants (-support, -login, -app) registered and redirecting
- All defensive domains on auto-renew with same registrar as primary
- WHOIS privacy enabled on all domains
- Trademark registration filed or in progress (required for UDRP standing)
- Brand monitoring alert set up for new registrations
Start with a name that's defensible
A distinctive brand name is easier and cheaper to defend than a generic one. Domain-ate finds available names with low impersonation risk built in.
Find My Brand Name — FreeFrequently Asked Questions
How many domains should I register defensively?
For an early-stage startup, 5–10 domains covers the meaningful risk: your primary TLD, the .com equivalent if you're on another TLD, 1–2 common misspellings, and the most relevant ccTLDs for markets you plan to enter. Once you have significant brand recognition or are post-Series A, expand to cover more typo variants and additional TLDs. There's no need to register every conceivable variation — focus on the ones that would actually intercept meaningful traffic or enable impersonation.
Do I need to redirect all my defensive domains?
Yes — any domain you register but don't redirect is dead traffic. Every visitor who lands on an unredirected domain has found you, and you've let them walk away. Set up 301 redirects from all defensive registrations to your primary domain. This takes 10 minutes per domain and recovers traffic you've already paid to generate through marketing.
What can I do if someone is cybersquatting on my brand name?
You have three options: buy the domain directly from the squatter (fastest but may be expensive), file a UDRP complaint through ICANN (costs $1,500–$4,000, takes 2–3 months, strong win rate if you have trademark registration), or pursue legal action under the Anticybersquatting Consumer Protection Act in the US. UDRP is the standard first move for trademark holders — it's faster and cheaper than litigation, and you win the majority of cases where the domain was clearly registered in bad faith.
Should I register domains with my competitors' names?
No. Registering a domain that includes a competitor's trademark is reverse cybersquatting and exposes you to significant legal liability, including UDRP complaints and trademark infringement claims. Defensive registration is about protecting your own brand — not intercepting competitor traffic.
The Bottom Line
Defensive domain registration is insurance. Like all insurance, you pay for it before you need it — because by the time you need it, the cost of not having it is much higher than the cost of the premium.
The right approach is proportional: register the highest-priority variants at launch, expand the portfolio as your brand recognition grows, put everything on auto-renew, redirect all of it to your primary domain, and add monitoring once you have traction worth protecting. That's it. You don't need to register the entire namespace — just the domains that would actually hurt if someone else owned them.
And if you're still choosing your brand name, consider defensibility as part of the selection criteria. A distinctive, invented brand name has a much smaller meaningful typo surface than a keyword-descriptive name, which makes the defensive portfolio cheaper and the trademark easier to register. If you need help finding a distinctive name that's available, Domain-ate was designed for exactly that.